Platform Privacy Statement

Date: 6 May 2021; version: 2.0

Our view

CarePay has the mission to give everyone the power to care by enabling mobile access to healthcare services. For this purpose, we operate the CarePay platform and in doing so we handle personal data of platform users. Processing personal data comes with responsibilities on privacy, confidentiality, access and consent, which we take seriously.

CarePay endorses and seeks to comply with applicable data protection laws. In Kenya, this is the Kenya Data Protection Act (KDPA), while we also observe the principles of the European General Data Protection Regulation (GDPR) throughout the CarePay group. We design our services to be compliant with the KDPA and GDPR and to ensure we process personal data with a legal basis and in accordance with the processing purpose, while respecting your right to privacy.

To protect the personal data of CarePay platform users, our platform has built-in technical safeguards. We use up-to-date knowledge and tools to protect data in line with industry standards. We continuously evaluate the security of our systems and processes to improve them where necessary.

Privacy Statement

Introduction
CarePay endeavours to process your personal data carefully, securely, and confidentially. It is important to us that you have confidence in our organisation regarding the processing of your personal data. This privacy statement is intended for users of the CarePay platform and provides information about the processing of personal data through our platform’s web-portals and online applications. Information on the processing of personal data of users of the services and products delivered via our platform is provided in our Terms of Service

What is personal data?
Personal data are all data that can be traced back to a person. Examples include your name, address, telephone number and account number. Where we can, we pseudonymise your personal data so that it is no longer directly traceable to you as a person.

Which personal data do we process and why?
We process your personal data to enable and enhance your use of the platform. We process your username (e-mail address or phone number) and password to allow you to access the platform. We also process your username when you make a request on the platform, for example to download or save information. To know whether our platform can be visited properly and to locate and address root causes of errors, we process user actions (using cookies), IP address, location information and device details, in each case in pseudonymised form. This way we can provide our users a seamless experience, update the platform functionalities where necessary and expedite solving technical errors, while limiting the impact on your privacy.

Which parties process personal data for us?
CarePay has engaged various third-party processors for the processing of personal data on the web-portals and online applications of our platform. This includes AWS (Amazon Web Services) as host of our platform on their cloud servers, meaning AWS processes the platform data, including personal data. Google Analytics processes user actions in pseudonymised form to provide insights on the use of our platform and enables us to improve the platform user experience. We also use other third-party processors to enable us to develop, operate and monitor our platform as well as solve technical errors. As the platform is under development, these parties may change from time to time. You can contact us for an up-to-date overview and further information.

What is the legal basis for processing and how do we limit impact on your privacy?
The legal basis we use to process your personal data on the platform is the legitimate interest of CarePay to develop, operate and improve its platform web-portals and online applications. We take the following measures to limit the impact of our data processing on your privacy:

  • Where it is not important for us to know exactly who the platform user is, we process user data in pseudonymised form.
  • We offer you the opportunity to opt out of the use of Google Analytics.
  • We use processors who have privacy/security policies and offer a data processing agreement with standard contractual clauses safeguarding data privacy.
  • The processors may only process your personal data to support us in developing, operating and improving the platform.

 

Who is the data controller for the processing of personal data?
CarePay is the data controller for the processing of personal data on the platform:

CarePay Kenya Limited
114 East Manyani,
off James Gichuru,
Nairobi, Kenya.

‍Do we share your data with other parties?
Your personal data will be treated confidentially and will only be processed for the purposes set out in this statement. Where necessary to develop, operate and improve the platform web-portals and online applications, we share data with our third-party processors as described in this statement and with other CarePay group entities supporting the platform. In addition to Nairobi, Kenya CarePay currently has operational offices in Amsterdam, the Netherlands, and Lagos, Nigeria. All CarePay group entities apply appropriate safeguards using commercially reasonable efforts and are a party to a data sharing agreement with clauses safeguarding data privacy. CarePay is sometimes obliged to provide personal data pursuant to legal obligations, such as public investigations.

How do we protect your data?
We collect your data in pseudonymised form as much as possible. We further use commercially reasonable efforts in applying various technical and organisational measures to prevent the personal data from being misused. These measures include for example the encryption of data and training our employees on data privacy.

Where is personal data processed and for how long?
The CarePay platform is hosted on AWS’ European cloud servers and as such platform data is processed in Europe. Other third-party processors supporting our platform, such as Google Analytics, process data on their own servers which may have various locations. Data is also processed in CarePay’s various offices. In each case, all processing is subject to contractual clauses safeguarding data privacy and is only done for as long as necessary for the purpose of developing, operating, and improving the platform. You can contact us for any further information on this.

Third-party websites and the internet
Our platform may contain links to third-party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and we do not accept any responsibility or liability for these websites or policies. The transmission of information over the internet is not completely secure. If you provide us with information over the internet, any transmission is at your own risk. However, once we receive your information, we use commercially reasonable efforts to prevent unauthorised access to your personal data.

What rights do you have?
CarePay considers it important that platform users can properly exercise their rights under data protection laws. In summary, you have the following rights:

  • The right of access: you have the right to see which of your personal data we process.
  • The right of rectification: if your personal data we process are not correct, you have the right to have them adjusted.
  • The right of erasure: if we no longer need your personal data for the purpose for which they were collected, you have the right to ask us to delete them. There are several exceptions to this, such as our obligation to retain certain data, for example for statutory legal or tax requirements.
  • The right to object: it is possible to object to the processing of your personal data, after which a balancing of interests will follow.
  • The right of restriction: during the period that we are in the process of determining whether your data should be rectified, determining the unlawfulness of data processing, determining whether data should be deleted or whether you have rightfully objected to the processing, you have the right to request a restriction of the processing.

How can you contact us?
If you have any questions on the way we process your data or your rights in this respect, or have a complaint or other remark, you can contact us via privacy@carepay.com. This will put you in contact with our Data Protection Officer who is appointed to safeguard compliance with the KDPA.

If you have any questions or issues on the CarePay platform, you can contact our customer support via 0800 721 253 and 0709 071 000.

Filing a complaint with the competent authority
CarePay finds it important to have satisfied platform users. Even though we do everything we can to achieve this, if you are not satisfied, we invite you to reach out to our customer support so we can address your concerns. When it comes to the protection of your personal data it is possible to file a complaint with the supervisory authority, being the Office of the Kenya Data Commissioner (https://www.odpc.go.ke) We would appreciate you contacting us first to give us the opportunity to address your complaint.

Modifications to platform and statement
CarePay may make changes to the platform and its functionalities and reserves the right to update this privacy statement accordingly. If the changes impact the processing of your personal data, we will inform you of such updates upon your next visit to the platform.